Technology

Cybersecurity Pros Join 'Right to Repair' Battle | Tech Law

Securepairs.org, an advocacy organization formed by cybersecurity professionals, on Tuesday announced that it has joined the fight for "right to repair" legislation, which would allow consumers and third parties to repair electronic equipment without voiding manufacturers' warranties.

Legislators in about 20 states have been working on some form of this legislation, but their efforts have been stymied by a number of tech companies, including Apple, Lexmark and Verizon. Industry groups, including the Consumer Technology Association, Association of Home Appliance Manufacturers, and CompTIA, also have opposed the proposals.

"In every case, these laws have been killed off in committee by business interests," said Securepairs.org founder Paul F. Roberts, editor-in-chief of
The Security Ledger.

"To date, none has made it to the floor of a statehouse for a vote -- a testament to the power of special interests, in this case major electronics, technology and telecommunications firms," he told TechNewsWorld.

That's just what happened to California's proposed right to repair legislation.

CompTIA and 18 other trade organizations associated with big tech companies -- including CTIA and the Entertainment Software Association -- wrote committee members to express opposition to the bill, Motherboard
reported.

Subsequently, an Apple representative and a lobbyist for CompTIA reportedly met privately with Committee members.

Eggman has withdrawn the bill.

"It became clear the bill would not have the support it needed today, and manufacturers have sown enough doubt with vague and unbacked claims of privacy and security concerns," she told TechNewsWorld.

The Industry's Battle

The threat to consumer security and privacy has become the electronic device industry's latest meme to challenge right to repair laws.

For example, right to repair legislation "would force all electronics manufacturers to reveal sensitive technical information about thousands of internet-connected products including security cameras, computers, smart home devices, video game platforms, smartphones and more -- putting consumers and their data at risk," wrote Earl Crane, a senior cybersecurity fellow at the University of Texas at Austin, in an
op-ed published in the St. Cloud Times.

If passed, manufacturers "would have to share codes, tools and supply chain access to anyone who purchases a product," contended Crane, who is an advisor to the
Security Innovation Center.

Doing so would provide "a roadmap to those who want to infiltrate consumer products," he argued.

The Security Innovation Center (SIC) "is just one facet of a multifaceted effort by industry groups to sink right to repair legislation in the states," Securepairs.org's Roberts said.

Groups like CompTIA and TechNET fund SIC and "do lots of other kinds of outreach to lawmakers to spread false narratives about safety and security risks [caused by] repair," he said.

However, security on many Internet-connected devices has been found lacking, which undercuts the industry's stance.

Millions of Internet-connected devices recently were found to have
critical security flaws, Krebs on Security reported earlier this month.

As for concerns that information about secure components would be jeopardized, the most carried-out repairs are "focused on screens and batteries," observed Rob Enderle, principal analyst at the Enderle Group.

The contention of a threat to security "is largely false, mainly because the secure components generally aren't at risk of breakage," he told TechNewsWorld. "If they do break, the damage is generally so great that repairing the phone would cost more than replacing it."

Further, "open source was driven by users, and once proper quality controls were in place, it massively benefited both user choice and user costs," Enderle pointed out.

It's All About the Money

"This is largely about controlling the service revenue stream, which is currently holding up Apple's sliding financials," Enderle said. "It's more profitable to lock users into [manufacturers'] resources."

Right to repair laws would lower user costs and increase reuse while reducing premature disposal, he suggested. However, as a result, they would "sharply reduce both service and replacement sales revenues."

On the other hand, the use of unauthorized third-party parts in attempts to repair iPhones has
caused damage to some devices.

It is possible that users and third-party repair services might turn to cheaper parts of lower quality, but "the process the auto industry uses to ensure car part quality isn't compromised could likely be applied here," Enderle suggested.

Securepairs.org Steps Up

To defend against the industry's opposition, Securepairs.org is "ramping up efforts beginning with states where R2R legislation is still being considered, including Minnesota, Massachusetts, and New York," Roberts said.

It has attracted "some of the top information security experts in the world," he added, including Bruce Schneier, Katie Moussouris, Chris Wysopal and Gary McGraw.

Securepairs.org experts volunteer their time, Roberts said.

It "isn't about going toe-to-toe with Apple and Microsoft. It's about connecting a community of expertise with lawmakers who are trying to make difficult, subtle decisions involving cybersecurity and technology," he explained.

California Assemblymember Eggman isn't giving up her fight.

"I feel that we are on the right side of this issue, and that ultimately the bill will prevail," she said. "I will be working with members of the [Privacy and Consumer Protection] Committee in the coming months to secure the support needed to make the right to repair a reality in California."

She plans to reintroduce her bill next year.

Richard Adhikari has been an ECT News Network reporter since 2008. His areas of focus include cybersecurity, mobile technologies, CRM, databases, software development, mainframe and mid-range computing, and application development. He has written and edited for numerous publications, including Information Week and Computerworld. He is the author of two books on client/server technology.
Email Richard.